Hidden dangers

Computer hackers "Mudge," left, and "Weld Pond" testify on Capitol
Hill on May 19, 1998 before the Senate Governmental Affairs Committee
hearing on computer hacking. The hackers told the committee that
computer security is so lax, they could disable the entire Internet
in a half-hour. [AP photo: William Philpott]

As more commerce moves to computer networks, business and the
government turn to their former nemesis -- the hacker -- for help.

Good-guy hackers -- known as "ethical" or "white hat" hackers
-- are part of a fast-expanding and cocky breed of security troubleshooters
delivering a blunt message to U.S. companies. With malicious hacking
on the rise, corporate computer networks increasingly linked to
the Internet are as easy to penetrate as fists punching through
Jello.

Long in denial, corporate America is starting to listen. Company-approved
attacks by ethical hackers are cropping up nationwide. So far,
their efforts are rarely unsuccessful.

In San Antonio, Texas, ethical hackers at Cisco-WheelGroup Corp.
spring their attacks on corporate customers from a "war room"
run by ex-military types from the Air Force Information Warfare
Center. From a windowless room in the New York City suburbs, IBM's
security squad launches its hacks on dozens of corporate customers.
In Miami, an Ernst & Young team recently hacked with ease into
the network of a high-tech client in the Tampa Bay area.

Work is plentiful. Nearly two of every three companies responding
to a recent Computer Security Institute/FBI survey say they experienced
unauthorized use of their computer systems in the past year. That's
up from 50 percent in the 1997 survey and 42 percent in 1996.
And while company computer systems were hit both internally and
externally, companies' Internet connections were cited increasingly
as a frequent point of attack.

But security expertise does not come cheap. Ethical hackers, especially
those backed by big corporate and consulting names, regularly
charge $20,000 to $200,000, depending on the depth of their attack
and the size of the business client's network.

American companies spent about $6.3-billion on computer security
last year to combat computer fraud, theft of proprietary company
software and industrial espionage, according to the research firm
DataQuest. The market is expected to double to $13-billion by
2000.

Security experts say companies simply will have to pay to play
on a secure Internet.

At California high-tech giant Sun Microsystems, Linda McCarthy
spent years breaking into the networks of her employer. It was
her job to recommend security improvements to Sun's network, which
is hacked an average of 300 times every day. More hacking is inevitable
as the hacker population matures, says McCarthy, who now runs
the Network Defense security firm in Berkeley, Calif.

"Anybody who was a B-grade hacker is probably much more advanced
now, at least in knowing where to get hacker tools, and can typically
get into lots of computer systems," she said. Give us 30 minutes
and we can bring down the Internet and cripple many businesses,
a hacker known as "Mudge" testified before a congressional panel
last month. The hacker is a founding member of Boston's elite
hacker group called L0pht, which alerts appropriate agencies when
they find gaping holes in computer security.

Seasoned IBM security consultant Nick Simicich of Boca Raton gives
the same advice to client companies about hackers that a locksmith
offers homeowners about burglars: Convince them other places are
more vulnerable to attack.

* * *

"Generally, our work is to deter hackers," Simicich said. "There
are hackers you catch and hackers you don't."

* * *

Besides assaults from malicious hackers, companies face other
online threats. Disgruntled workers and ex-employees are common
sources. Competing businesses -- under the buzzword "competitive
intelligence" -- increasingly are snooping online for any information
to help make the next big sale or gain a technological edge.

There is even a Society of Competitive Intelligence Professionals.
The group, with more than 6,500 members, only endorses legal research
tactics. (Some air routes in and out of high-tech cities like
San Jose, Calif., and Boston are considered intelligence gold
mines.)

Corporations in some industries also must guard against intrusions
from tech-hungry foreign governments -- in particular China, France,
Israel, Japan, Germany and Russia -- that converted their cold-war
spy machinery into "economic espionage" units.

While companies are reluctant to disclose a hack of any kind,
recent examples are plentiful:

INSIDER: Timothy Lloyd lost his job in 1996 as a computer network
programer in Bridgeport, N.J., at Omega Engineering. Twenty days
later a software bomb deleted critical company files. Federal
prosecutors put direct costs of the wipeout at $2.4-million and
its indirect costs in lost business at another $8-million. Lloyd
pleaded innocent to charges of destroying computer files valued
at $10-million. He faces up to five years in jail and a fine equal
to twice the company's losses, or up to $20-million.

COMPETITOR: A unit of the British news agency Reuters is accused
of trying to steal software from competitor Bloomberg LP by urging
a consultant to transfer screens full of data from Bloomberg to
Reuters. The matter is before a grand jury.

FOREIGN GOVERNMENT: French intelligence allegedly has spied on
U.S. companies by wiretapping U.S. businessmen flying on Air France
between New York and Paris. And Germany's Federal Intelligence
Service had been successful in economic espionage by using a top-secret
computer facility outside Frankfurt, Germany, to break into data
networks and data bases of companies and governments around the
world, according to a report by Edwin Fraumann, an FBI agent in
New York.

A few companies are taking steps on their own to improve thesecurity
odds. In the Tampa Bay area, a group of companies recently formed
the first local (and currently Florida's only) chapter of the
Information Systems Security Association as a forum to swap ideas.
The group (http://www. tampaissa.org) meets for the first time
June 24 to hear experts discuss cybercrime at the Tampa Airport
Hilton at Metrocenter.

Even the stodgy insurance industry is starting to recognize hacker
attacks as a real business risk. Lloyd's of London in April joined
a small number of insurers offering companies insurance against
hackers, viruses and computer sabotage.

* * *

The big fees paid for corporate security are attracting hackers
with more troubling credentials. Many are swapping their old black-hat
ways for white-hat paychecks, jumping into the poten-tially lucrative
corporate computer security business.

Among the "reformed" is Yobie Benjamin, a hacker for 20 years
who now works as the technical security guru at Cambridge Technology
Partners, a Cambridge, Mass., network consulting firm with a penchant
for hiring ex-hackers. Best known for finding flaws in Microsoft's
Windows NT operating software, Benjamin says he hires white-hats,
though many are reformed street hackers now in their 30s.

Large companies don't seem to mind. Last month, Benjamin's company
invited data security managers from three dozen Fortune 1,000
companies to attend "New Hack Tour," a seminar on the latest hacking
trends. They were dismayed to hear of dozensof new network hacks
making the rounds.

Six years ago, a massive party was thrown by a young computer
bulletin board operator who goes by the name Dark Tangent. That
party evolved into the DefCon annual convention, the biggest hacker
gathering in the country. And Dark Tangent, who in real life is
Jeff Moss, now provides security consulting for San Jose's Secure
Computing Inc.

Alongside DefCon, Moss helps run an accompanying seminar dubbed
the "Black Hat briefings" that serves as a mixer for hackers and
corporate security professionals.

Once a cosmetics company approached Moss and, sight unseen, commissioned
the hacker to break into a competing company's network and steal
a perfume formula. Moss declined. But the attempt at corporate
espionage by using hackers is increasingly popular.

Former hacker Erik Bloodaxe (real name: Chris Goggans) helped
found and lead the infamous 1980s hacker group Legion of Doom.
Now he is peddling his hacker skills to corporations, first in
Austin, Texas, and now at Security Design International in Falls
Church, Va.

SDI's consultants, the company says on its Web site, are "carefully
selected for a combination of technical ability and "real world'
experience."

Ex-hacker Christian Valor recently lectured a paying audience
of corporate and government security employees on how, for bragging
rights, gangs of malicious hackers last year broke into 363 major
Web sites, including ABC News and the Army Information Center.
Valor was hired by retired Army colonel Fred Villella, founder
of the California security firm New Dimensions International.

The trend of hackers-turned-consultants makes for some lively
debate.

"Would you trust an ex-burglar or an ex-arsonist?" Ken Lindup,
a senior consultant at security specialist SRI Consulting, asked
at a recent security conference. Lindup gives a thumbs down to
hiring once-nasty hackers to wander through company computer systems.
Avoid the temptation, he advises. On the flip side, many traditional
hackers suspicious of Big Brother aren't happy about their brethren
defecting to the computer security establishment. Complained one
hacker: "It's like Anakin Skywalker (Luke Skywalker's father,
before he became Darth Vader in Star Wars) being seduced by the
Dark Side of the Force."

As more commerce moves to computer networks, business and the
government turn to their former nemesis -- the hacker -- for help.

Ira Winkler doesn't mince words about the inability of U.S. businesses
to protect themselves against hackers.